Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client can override server storage-quota #4093

Closed
m3nu opened this issue Oct 2, 2018 · 7 comments
Closed

Client can override server storage-quota #4093

m3nu opened this issue Oct 2, 2018 · 7 comments
Labels
bug security
Milestone
1.1.8

Comments

@m3nu
Copy link
Contributor

m3nu commented Oct 2, 2018
edited
Loading

Have you checked borgbackup docs, FAQ, and open Github issues?

Yes

Is this a BUG / ISSUE report or a QUESTION?

BUG

System information. For client/server mode post info for both machines.

Your borg version (borg -V).

1.1.7

Operating system (distribution) and version.

Debian 9

Hardware / network configuration, and filesystems used.

Ext4

How much data is handled by borg?

10MB

Full borg commandline that lead to the problem (leave away excludes and passwords)

  • command run on client: borg init -e none ssh://$REPO_HOST --storage-quota 1000M
  • forced ssh command on server:borg serve --restrict-to-repository /srv/repos/nz71ss19/repo --storage-quota 10M --append-only (server)
  • result: backup repo on server is initialized with 1000M instead of 10M. Client was able to override the server quota.

Describe the problem you're observing.

The repo-config file always gets the quota specified by the client. Quota-enforcement is also as per client-set quota.

Can you reproduce the problem? If so, describe how. If not, describe troubleshooting steps you took before opening the issue.

Run client and server commands (set in ssh command=)

Include any warning/errors/backtraces from the system logs

No errors

Possible fix by extending forced_result as done in #4091
@m3nu m3nu mentioned this issue Oct 2, 2018
Merged
@ThomasWaldmann ThomasWaldmann added this to the 1.1.8 milestone Oct 3, 2018
@ThomasWaldmann
Copy link
Member

For borg hosting providers, this might be a security issue, because users could use unlimited resources, even if the provider set a quota on borg serve side (e.g. via forced command in .ssh/authorized_keys).

@m3nu m3nu mentioned this issue Oct 3, 2018
Merged
@lfam
Copy link
Contributor

lfam commented Oct 5, 2018

Distro packagers should consider cherry-picking this commit for their packages, right?

@ThomasWaldmann
Copy link
Member

@lfam Yes, this is for 1.1.x: 975cc33

@ThomasWaldmann
Copy link
Member

Fixed by #4091 and #4095, thanks to @m3nu!

erictapen added a commit to erictapen/nixpkgs that referenced this issue Oct 6, 2018
@erictapen
borgbackup: patch bug that allowed for exceeding quotas
0cfc923 
See also borgbackup/borg#4093 for this.
@erictapen erictapen mentioned this issue Oct 6, 2018
Merged
9 tasks
Mic92 pushed a commit to NixOS/nixpkgs that referenced this issue Oct 7, 2018
@erictapen @Mic92
borgbackup: patch bug that allowed for exceeding quotas
45c83d9 
See also borgbackup/borg#4093 for this.

(cherry picked from commit 0cfc923)
@knutov
Copy link

knutov commented Nov 27, 2018

@ThomasWaldmann Current 1.1.8 milestone stuck for 15+ days. Is it possible to release binaries with this patch with version named like '1.1.7.1' or '1.1.8' now or near future?

@ThomasWaldmann
Copy link
Member

I'll release 1.1.8 soon.

@knutov
Copy link

knutov commented Dec 6, 2018

@ThomasWaldmann How soon is soon? )

@ThomasWaldmann ThomasWaldmann mentioned this issue May 6, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
1.1.8
Development

No branches or pull requests
4 participants
@knutov @ThomasWaldmann @m3nu @lfam